Computers are connected to storage devices such as disks, tapes, and disk arrays by local busses such as Small Computer Interface (“SCSI”) or by network protocols such as Fibre Channel or SCSI over IP (“iSCSI”). Such connections use packet-based protocols to send data, commands, and status information between computers and storage devices. The data stored on such storage devices is often of a proprietary nature, and the owner of such data desires to prevent unauthorized users from reading or modifying the data.
In the case of networked computer storage, unauthorized users can in many cases gain access to the data stored in such devices. However, it is important to provide data security against a wide spectrum of unknown attacks by providing a system that prevents unauthorized users from understanding the data.
One current way to secure the confidentiality of data on disks and backup media is to encrypt the data using a key. However, this solution requires a key whose use and retention must be tightly controlled, and thus transfers the security problem from the data to the key. Although generally recognized as an improvement, experience shows that the use of keys can be cumbersome and can lack true security, for example, it still allows for insider attacks by people who have legitimate access to the key but who are not trustworthy.
It would be advantageous if such a system could enable data confidentiality against unauthorized users while operating in a completely transparent fashion so that no modification is required to either the computers or the storage devices, which would simplify the integration of such a device with a plurality of computers and storage devices, and require no management of secret keys with their attendant vulnerabilities, costs and complications.